LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 51200 - ICE on valid code at -O1: llvm::IRBuilderBase::CreatePtrDiff(llvm::Value*, llvm::Value*, const llvm::Twine&): Assertion `LHS->getType() == RHS->getType() && "Pointer subtraction operand types must match!"' failed.
Summary: ICE on valid code at -O1: llvm::IRBuilderBase::CreatePtrDiff(llvm::Value*, ll...
Status: RESOLVED FIXED
Alias: None
Product: libraries
Classification: Unclassified
Component: Transformation Utilities (show other bugs)
Version: trunk
Hardware: PC All
: P enhancement
Assignee: Unassigned LLVM Bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-23 17:59 PDT by Chengnian Sun
Modified: 2021-07-26 08:13 PDT (History)
5 users (show)

See Also:
Fixed By Commit(s): 87d604ffe494

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chengnian Sun 2021-07-23 17:59:30 PDT 
$ clang-trunk -v
clang version 13.0.0 (https://github.com/llvm/llvm-project.git ab5ac659c81a453a3f58df94f39fe8ba3cd35918)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/cnsun/usr/bin
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/10
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/10
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Candidate multilib: x32;@mx32
Selected multilib: .;@m64

$ cat mutant.c
int sprintf(char **, const *, ...);
g1(d) {
  const *p1;
  if (sprintf(d, "%s", p1))
    abort();
}

$ clang-trunk -w -O1 mutant.c
clang-13: /tmp/tmp.Gcp8nSn9Hr-clang-builder/llvm-project/llvm/lib/IR/IRBuilder.cpp:994: llvm::Value* llvm::IRBuilderBase::CreatePtrDiff(llvm::Value*, llvm::Value*, const llvm::Twine&): Assertion `LHS->getType() == RHS->getType() && "Pointer subtraction operand types must match!"' failed.
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /scratch/software/clang-trunk/bin/clang-13 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj --mrelax-relocations -disable-free -main-file-name mutant.c -mrelocation-model static -mframe-pointer=none -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/scratch/cnsun/workspace/perses-fuzzer/temp_testing_campaigns/default_finding_folder_c/crash_20210708_161828_2946/delta/perses_result -resource-dir /scratch/software/clang-trunk/lib/clang/13.0.0 -c-isystem . -c-isystem /usr/local/include/cmsith -internal-isystem /scratch/software/clang-trunk/lib/clang/13.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O1 -w -fdebug-compilation-dir=/scratch/cnsun/workspace/perses-fuzzer/temp_testing_campaigns/default_finding_folder_c/crash_20210708_161828_2946/delta/perses_result -ferror-limit 19 -fgnuc-version=4.2.1 -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/mutant-c35c17.o -x c mutant.c
1.	<eof> parser at end of file
2.	Optimizer
 #0 0x00005626fabf6754 PrintStackTraceSignalHandler(void*) Signals.cpp:0:0
 #1 0x00005626fabf3e6e SignalHandler(int) Signals.cpp:0:0
 #2 0x00007fa20e3c03c0 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x153c0)
 #3 0x00007fa20de5f18b raise /build/glibc-ZN95T4/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
 #4 0x00007fa20de3e859 abort /build/glibc-ZN95T4/glibc-2.31/stdlib/abort.c:81:7
 #5 0x00007fa20de3e729 get_sysdep_segment_value /build/glibc-ZN95T4/glibc-2.31/intl/loadmsgcat.c:509:8
 #6 0x00007fa20de3e729 _nl_load_domain /build/glibc-ZN95T4/glibc-2.31/intl/loadmsgcat.c:970:34
 #7 0x00007fa20de4ff36 (/lib/x86_64-linux-gnu/libc.so.6+0x36f36)
 #8 0x00005626fa26caa4 llvm::IRBuilderBase::CreatePtrDiff(llvm::Value*, llvm::Value*, llvm::Twine const&) (/scratch/software/clang-trunk/bin/clang-13+0x319baa4)
 #9 0x00005626fada6c3f llvm::LibCallSimplifier::optimizeSPrintFString(llvm::CallInst*, llvm::IRBuilderBase&) (/scratch/software/clang-trunk/bin/clang-13+0x3cd5c3f)
#10 0x00005626fadae190 llvm::LibCallSimplifier::optimizeSPrintF(llvm::CallInst*, llvm::IRBuilderBase&) (/scratch/software/clang-trunk/bin/clang-13+0x3cdd190)
#11 0x00005626fadb4293 llvm::LibCallSimplifier::optimizeCall(llvm::CallInst*, llvm::IRBuilderBase&) (/scratch/software/clang-trunk/bin/clang-13+0x3ce3293)
#12 0x00005626fa595b26 llvm::InstCombinerImpl::tryOptimizeCall(llvm::CallInst*) (/scratch/software/clang-trunk/bin/clang-13+0x34c4b26)
#13 0x00005626fa59a8ec llvm::InstCombinerImpl::visitCallBase(llvm::CallBase&) (/scratch/software/clang-trunk/bin/clang-13+0x34c98ec)
#14 0x00005626fa59c77c llvm::InstCombinerImpl::visitCallInst(llvm::CallInst&) (/scratch/software/clang-trunk/bin/clang-13+0x34cb77c)
#15 0x00005626fa55a678 llvm::InstCombinerImpl::run() (/scratch/software/clang-trunk/bin/clang-13+0x3489678)
#16 0x00005626fa55cc53 combineInstructionsOverFunction(llvm::Function&, llvm::InstCombineWorklist&, llvm::AAResults*, llvm::AssumptionCache&, llvm::TargetLibraryInfo&, llvm::TargetTransformInfo&, llvm::DominatorTree&, llvm::OptimizationRemarkEmitter&, llvm::BlockFrequencyInfo*, llvm::ProfileSummaryInfo*, unsigned int, llvm::LoopInfo*) InstructionCombining.cpp:0:0
#17 0x00005626fa55ecb1 llvm::InstCombinePass::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/scratch/software/clang-trunk/bin/clang-13+0x348dcb1)
#18 0x00005626fbe05386 llvm::detail::PassModel<llvm::Function, llvm::InstCombinePass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/scratch/software/clang-trunk/bin/clang-13+0x4d34386)
#19 0x00005626fa30b076 llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/scratch/software/clang-trunk/bin/clang-13+0x323a076)
#20 0x00005626f8743306 llvm::detail::PassModel<llvm::Function, llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/scratch/software/clang-trunk/bin/clang-13+0x1672306)
#21 0x00005626fa309b99 llvm::ModuleToFunctionPassAdaptor::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/scratch/software/clang-trunk/bin/clang-13+0x3238b99)
#22 0x00005626f8743d36 llvm::detail::PassModel<llvm::Module, llvm::ModuleToFunctionPassAdaptor, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/scratch/software/clang-trunk/bin/clang-13+0x1672d36)
#23 0x00005626fa30747f llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/scratch/software/clang-trunk/bin/clang-13+0x323647f)
#24 0x00005626faf331cc (anonymous namespace)::EmitAssemblyHelper::EmitAssemblyWithNewPassManager(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) BackendUtil.cpp:0:0
#25 0x00005626faf3643d clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::StringRef, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/scratch/software/clang-trunk/bin/clang-13+0x3e6543d)
#26 0x00005626fbd8a7af clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/scratch/software/clang-trunk/bin/clang-13+0x4cb97af)
#27 0x00005626fce4ef59 clang::ParseAST(clang::Sema&, bool, bool) (/scratch/software/clang-trunk/bin/clang-13+0x5d7df59)
#28 0x00005626fbd892f8 clang::CodeGenAction::ExecuteAction() (/scratch/software/clang-trunk/bin/clang-13+0x4cb82f8)
#29 0x00005626fb627419 clang::FrontendAction::Execute() (/scratch/software/clang-trunk/bin/clang-13+0x4556419)
#30 0x00005626fb5bd07e clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/scratch/software/clang-trunk/bin/clang-13+0x44ec07e)
#31 0x00005626fb705710 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/scratch/software/clang-trunk/bin/clang-13+0x4634710)
#32 0x00005626f847115d cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/scratch/software/clang-trunk/bin/clang-13+0x13a015d)
#33 0x00005626f846d4a8 ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) driver.cpp:0:0
#34 0x00005626f8398126 main (/scratch/software/clang-trunk/bin/clang-13+0x12c7126)
#35 0x00007fa20de400b3 __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:342:3
#36 0x00005626f846d01e _start (/scratch/software/clang-trunk/bin/clang-13+0x139c01e)
clang-13: error: unable to execute command: Aborted (core dumped)
clang-13: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 13.0.0 (https://github.com/llvm/llvm-project.git ab5ac659c81a453a3f58df94f39fe8ba3cd35918)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/cnsun/usr/bin
clang-13: note: diagnostic msg:
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-13: note: diagnostic msg: /tmp/mutant-b7d93a.c
clang-13: note: diagnostic msg: /tmp/mutant-b7d93a.sh
clang-13: note: diagnostic msg:

********************
Comment 1 Sanjay Patel 2021-07-26 08:13:43 PDT 
This could be viewed as a failure of function signature matching (see related bugs), but if it is, then it is a much bigger problem than matching sprintf alone. We don't check exact pointer type for any library calls AFAICT. I'm also not sure how that will play out if LLVM goes to type-less pointers.

For now, just cast around the type difference to allow this fold (and not crash):
https://reviews.llvm.org/rG87d604ffe494